LAB#14 2013-TE-104: Wireshark Introduction Objective

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 10

LAB#14

2013-TE-104

LAB # 14
WIRESHARK INTRODUCTION
OBJECTIVE
Learn how to capture packets and analyzing various fields of packets by using
Wireshark software
THEORY
Ones understanding of network protocols can often be greatly deepened by seeing
protocols in action and by playing around with protocols observing the
sequence of messages exchanged between two protocol entities, delving down into
the details of protocol operation, and causing protocols to perform certain actions
and then observing these actions and their consequences. This can be done in
simulated scenarios or in a real network environment such as the Internet. In the
Wireshark labs youll be doing in this course, youll be running various network
applications in different scenarios using your own computer (or you can borrow a
friends; let me know if you dont have access to a computer where you can
install/run Wireshark). Youll observe the network protocols in your computer in
action, interacting and exchanging messages with protocol entities executing
elsewhere in the Internet. Thus, you and your computer will be an integral part of
these live labs. Youll observe, and youll learn, by doing.
In this first Wireshark lab, youll get acquainted with Wireshark, and make some
simple packet captures and observations.
The basic tool for observing the messages exchanged between executing protocol
entities is called a packet sniffer. As the name suggests, a packet sniffer captures
(sniffs) messages being sent/received from/by your computer; it will also typically
store and/or display the contents of the various protocol fields in these captured
messages. A packet sniffer itself is passive. It observes messages being sent and
received by applications and protocols running on your computer, but never sends
packets itself. Similarly, received packets are never explicitly addressed to the
packet sniffer. Instead, a packet sniffer receives a copy of packets that are
sent/received from/by application and protocols executing on your machine.
Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the
protocols (in this case, Internet protocols) and applications (such as a web browser
or ftp client) that normally run on your computer. The packet sniffer, shown within
the dashed rectangle in Figure 1 is an addition to the usual software in your
computer, and consists of two parts. The packet capture library receives a copy
of every link-layer frame that is sent from or received by your computer. Recall from
the discussion from section 1.5 in the text (Figure 1.241) that messages exchanged
by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually
encapsulated in link-layer frames that are transmitted over physical media such as
an Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all
upper-layer protocols are eventually encapsulated within an Ethernet frame.

LAB#14

2013-TE-104

Capturing all link-layer frames thus gives you all messages sent/received from/by all
protocols and applications executing in your computer.

The second component of a packet sniffer is the packet analyzer, which displays
thecontents of all fields within a protocol message. In order to do so, the packet
analyzermust understand the structure of all messages exchanged by protocols.
For example,suppose we are interested in displaying the various fields in messages
exchanged by theHTTP protocol in Figure 1. The packet analyzer understands the
format of Ethernetframes, and so can identify the IP datagram within an Ethernet
frame. It also understandsthe IP datagram format, so that it can extract the TCP
segment within the IP datagram.
Finally, it understands the TCP segment structure, so it can extract the HTTP
messagecontained in the TCP segment. Finally, it understands the HTTP protocol
and so, forexample, knows that the first bytes of an HTTP message will contain the
string GET,POST, or HEAD,.
We will be using the Wireshark packet sniffer [http://www.wireshark.org/] for these
labs,allowing us to display the contents of messages being sent/received from/by
protocols atdifferent levels of the protocol stack. (Technically speaking, Wireshark is
a packetanalyzer that uses a packet capture library in your computer). Wireshark is
a free networkprotocol analyzer that runs on Windows, Linux/Unix, and Mac
computers. Its an idealpacket analyzer for our labs it is stable, has a large user
base
and
well-documentedsupport
that
includes
a
user-guide
(http://www.wireshark.org/docs/wsug_html_chunked/),
man
pages
(http://www.wireshark.org/docs/man-pages/), and a detailed FAQ
(http://www.wireshark.org/faq.html), rich functionality that includes the capability to
analyze hundreds of protocols, and a well-designed user interface. It operates
incomputers using Ethernet, serial (PPP and SLIP), 802.11 wireless LANs, and many
otherlink-layer technologies (if the OS on which it's running allows Wireshark to do
so).

LAB#14

2013-TE-104

Getting Wireshark
In order to run Wireshark, you will need to have access to a computer that supports
both Wireshark and the libpcapor WinPCappacket capture library. The
libpcapsoftware willbe installed for you, if it is not installed within your operating
system, when you installWireshark. Seehttp://www.wireshark.org/download.html for
a list of supportedoperating systems and download sites
Download and install the Wireshark software:
Go to http://www.wireshark.org/download.html and download and install
theWireshark binary for your computer.
The Wireshark FAQ has a number of helpful hints and interesting tidbits of
information,particularly if you have trouble installing or running Wireshark.
Running Wireshark
When you run the Wireshark program, youll get a startup screen, as shown below:

Take a look at the upper left hand side of the screen youll see an Interface list.
This is the list of network interfaces on your computer. Once you choose an
interface, Wireshark will capture all packets on that interface. In the example above,
there is an
Ethernet interface (Gigabit network Connection) and a wireless interface
(Microsoft).
If you click on one of these interfaces to start packet capture (i.e., for Wireshark to
begin capturing all packets being sent to/from that interface), a screen like the one
below will be displayed, showing information about the packets being captured.
Once you start packet capture, you can stop it by using the Capture pull down menu
and selecting Stop.

LAB#14

2013-TE-104

The Wireshark interface has five major components:


The command menus are standard pulldown menus located at the top of
thewindow. Of interest to us now are the File and Capture menus. The File
menuallows you to save captured packet data or open a file containing
previouslycaptured packet data, and exit the Wireshark application. The Capture
menuallows you to begin packet capture.
The packet-listing window displays a one-line summary for each
packetcaptured, including the packet number (assigned by Wireshark; this is not
apacket number contained in any protocols header), the time at which the
packetwas captured, the packets source and destination addresses, the protocol
type,and protocol-specific information contained in the packet. The packet listing
canbe sorted according to any of these categories by clicking on a column name.
Theprotocol type field lists the highest-level protocol that sent or received this
packet,i.e., the protocol that is the source or ultimate sink for this packet.
The packet-header details window provides details about the packet
selected(highlighted) in the packet-listing window. (To select a packet in the
packetlistingwindow, place the cursor over the packets one-line summary in
thepacket-listing window and click with the left mouse button.). These
detailsinclude information about the Ethernet frame (assuming the packet
wassent/received over an Ethernet interface) and IP datagram that contains
thispacket. The amount of Ethernet and IP-layer detail displayed can be

LAB#14

2013-TE-104

expanded orminimized by clicking on the plus minus boxes to the left of the
Ethernet frame orIP datagram line in the packet details window. If the packet has
been carried overTCP or UDP, TCP or UDP details will also be displayed, which
can similarly beexpanded or minimized. Finally, details about the highest-level
protocol that sentor received this packet are also provided.

The packet-contents window displays the entire contents of the captured


frame,in both ASCII and hexadecimal format.
Towards the top of the Wireshark graphical user interface, is the packet
displayfilter field, into which a protocol name or other information can be
entered inorder to filter the information displayed in the packet-listing window
(and hencethe packet-header and packet-contents windows). In the example
below, welluse the packet-display filter field to have Wireshark hide (not display)
packetsexcept those that correspond to HTTP messages .

Taking Wireshark for a Test Run


The best way to learn about any new piece of software is to try it out! Well assume
thatyour computer is connected to the Internet via a wired Ethernet interface.
Indeed, Irecommend that you do this first lab on a computer that has a wired
Ethernet connection,rather than just a wireless connection. Do the following
1. Start up your favorite web browser, which will display your selected homepage.
2. Start up the Wireshark software. You will initially see a window similar to
thatshown in Figure 2. Wireshark has not yet begun capturing packets.
3. To begin packet capture, select the Capture pull down menu and select
Interfaces.This will cause the Wireshark: Capture Interfaces window to be
displayed, asshown in Figure 4.

4. Youll see a list of the interfaces on your computer as well as a count of the
packets that have been observed on that interface so far. Click on Start for
theinterface on which you want to begin packet capture (in the case, the
Gigabitnetwork Connection). Packet capture will now begin - Wireshark is
nowcapturing all packets being sent/received from/by your computer!
5. Once you begin packet capture, a window similar to that shown in Figure 3
willappear. This window shows the packets being captured. By selecting
Capturepulldown menu and selecting Stop, you can stop packet capture. But
dont stoppacket capture yet. Lets capture some interesting packets first. To do
so, wellneed to generate some network traffic. Lets do so using a web browser,
whichwill use the HTTP protocol that we will study in detail in class to
downloadcontent from a website.

LAB#14

2013-TE-104

6. While Wireshark is running, enter the URL:http://gaia.cs.umass.edu/wiresharklabs/INTRO-wireshark-file1.htmland have that page displayed in your browser. In
order to display this page, yourbrowser will contact the HTTP server at
gaia.cs.umass.edu and exchange HTTPmessages with the server in order to
download this page. The Ethernet frames containing these HTTP messages (as
well as all other frames passing through your Ethernet adapter) will be captured
byWireshark.
7. After your browser has displayed the INTRO-wireshark-file1.html page (it is
asimple one line of congratulations), stop Wireshark packet capture by
selectingstop in the Wireshark capture window. The main Wireshark window
should nowlook similar to Figure 3. You now have live packet data that contains
all protocolmessages exchanged between your computer and other network
entities! TheHTTP message exchanges with the gaia.cs.umass.edu web server
should appearsomewhere in the listing of packets captured. But there will be
many other typesof packets displayed as well (see, e.g., the many different
protocol types shown inthe Protocol column in Figure 3). Even though the only
action you took was todownload a web page, there were evidently many other
protocols running on yourcomputer that are unseen by the user. Well learn much
more about theseprotocols as we progress through the text! For now, you should
just be aware thatthere is often much more going on than meets the eye!
8. Type in http (without the quotes, and in lower case all protocol names are
inlower case in Wireshark) into the display filter specification window at the top
ofthe main Wireshark window. Then select Apply (to the right of where you
enteredhttp). This will cause only HTTP message to be displayed in the packetlistingwindow.
9. Find the HTTP GET message that was sent from your computer to
thegaia.cs.umass.edu HTTP server. (Look for an HTTP GET message in the
listingof captured packets portion of the Wireshark window (see Figure 3) that
showsGET followed by the gaia.cs.umass.edu URL that you entered. When
youselect the HTTP GET message, the Ethernet frame, IP datagram, TCP
segment,and HTTP message header information will be displayed in the packetheaderwindow2. By clicking on + and - right-pointing and down-pointing
arrowheadsto the left side of the packet details window, minimize the amount of
Frame,Ethernet, Internet Protocol, and Transmission Control Protocol
informationdisplayed. Maximize the amount information displayed about the
HTTP protocol.Your Wireshark display should now look roughly as shown in Figure
5. (Note, inparticular, the minimized amount of protocol information for all
protocols exceptHTTP, and the maximized amount of protocol information for
HTTP in thepacket-header window).
10.Exit Wireshark
Congratulations! Youve now completed the first lab.

LAB#14

Wireshark:

2013-TE-104

LAB#14

2013-TE-104

LAB#14

2013-TE-104

ASSIGNMENT:
1. List 3 different protocols that appear in the protocol column in

the unfiltered packet-listing window in step 7 above.


a. TCP
b. SSDP
c. HTTP

2. How long did it take from when the HTTP GET message was sent
until the HTTP OK reply was received? (By default, the value of
the Time column in the packet listing window is the amount of
time, in seconds, since Wireshark tracing began. To display the
Time field in time-of-day format, select the Wireshark View pull
down menu, then select Time Display Format, then select Timeof-day.)
Time = Packet sent Packet received
= 19.331657 19.225443
Time = 0.106214 sec

LAB#14

2013-TE-104

3. What is the Internet address of the gaia.cs.umass.edu (also


known as wwwnet. cs.umass.edu)? What is the Internet address
of your computer?
Internet address = 192.168.1.116
Internet address of gaia.cs.umass.edu = 128.119.245.12

You might also like